b'FDIC\xe2\x80\x99s PRIVACY AND SECURITY NOTICES \xe2\x80\x93\nRequirements and Policy Statements on the Internet and Intranet\n\nOffice of Inspector General\nOffice of Congressional Relations and Evaluations\nMay 19, 2000\nEvaluation Report No. 00-004\n\n\n\n\n                                   REPORT HIGHLIGHTS\n\n\n\n                                 Privacy and Security Notices at FDIC.gov\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa612\n\n                                  FDIC\xe2\x80\x99s Privacy Policy Statement Was\n                                  Generally Consistent with Guidance,\n                                  But More Links to the Privacy Policy\n                                  Statement Are Needed\n\n                                 Privacy and Security Notices at FDICnet\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..17\n\n                                  No Requirement Exists for Employee Privacy\n                                  Policy, But Experts Favor the Practice\n\n                                 FDIC Should Consider Establishing a Corporate\n                                 Focal Point for Privacy ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa623\n\n                                 Corporation Comments\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..26\n\x0c                                                   Congressional Relations and Evaluations\n                                                                Office of Inspector General\n\n\n\n\nLETTER FROM THE DIRECTOR\nDate: May 19, 2000\n\nTo:   John F. Bovenzi\n      Deputy to the Chairman and Chief Operating Officer\n\n      Chris Sale\n      Deputy to the Chairman and Chief Financial Officer\n\n      William F. Kroener, III\n      General Counsel\n\n      Donald C. Demitros\n      Director, Division of Information Resources Management and Chief\n      Information Officer\n\n\nPrivacy has been and continues to be of significant concern to the public and the\nCongress. This was the first in a series of reviews that we plan to conduct\ncovering privacy-related issues. As you know, the Corporation must be sensitive\nto privacy issues on several levels \xe2\x80\x93 as a government agency \xe2\x80\x93 in its capacity as\na regulator of financial institutions \xe2\x80\x93 and as an employer.\n\nGiven the heightened concerns about online privacy and, in particular, the\ndisclosures made about information collected from visitors to web sites, we\ndecided to concentrate our first review on FDIC\xe2\x80\x99s web site disclosure statements.\nSpecifically, our objective was to determine whether the content and placement\nof web site privacy and security disclosure statements on FDIC\xe2\x80\x99s external and\ninternal web sites met applicable disclosure requirements and concerns, and if\nnot, what action FDIC was taking to address those matters. Further, consistent\nwith the mission of our office, we undertook this review to identify emerging\nissues that may warrant management\xe2\x80\x99s attention. In fact, we identified one issue\nwe believed warranted your attention and further study.\n\nTo accomplish our objective, we researched existing and evolving disclosure\nrequirements and practices, interviewed FDIC and external officials that were\nknowledgeable about privacy policy requirements, and lastly, used the\ninformation obtained to evaluate FDIC\xe2\x80\x99s existing external and internal web\nprivacy and security policies.\n\nFDIC\xe2\x80\x99s external web site had a Privacy Policy Statement that described its\ninformation handling practices. We found that the content of FDIC\xe2\x80\x99s Privacy\n\x0cPolicy Statement on its external web site was substantially consistent with\napplicable guidance. We believed this was noteworthy because FDIC\xe2\x80\x99s Privacy\nPolicy Statement was developed and posted on its external web site in 1998 \xe2\x80\x93\nbefore any requirement to do so. FDIC\xe2\x80\x99s Privacy Policy Statement only lacked\none of the recommended language elements included in the Office of\nManagement and Budget 1999 policy guidelines. Specifically, it lacked security,\nintrusion, and detection language. However, we found that FDIC\xe2\x80\x99s General\nDisclaimer included this type of language. In addition, we found that more links\nwere needed to the Privacy Policy Statement to fully comply with the\nrequirements. Moreover, we determined that awareness of disclosure\nrequirements might have been limited among FDIC Webmasters and Internet\nCoordinators.\n\nInternally, there was not a requirement to post a clearly labeled privacy policy\nstatement for employees on FDIC\xe2\x80\x99s internal system and FDIC had not done so.\nHowever, privacy experts are recommending that employers post a visible\nbanner addressing employee privacy expectations as well as security concerns.\nIn addition, some agencies, including the Department of Justice, have begun to\nvisibly post such notices on their systems. FDIC believed that its existing policies\nprovide adequate notice to employees. Nevertheless, additional reminders\nregarding the written procedures would further enhance FDIC policies.\n\nIn summary, we made recommendations designed to ensure that FDIC\xe2\x80\x99s external\nprivacy policy is placed where required through increased awareness of key\nemployees and strengthened procedures. In addition, we recommended that\nFDIC create and post a policy notice for its internal system. We believed adding\na succinct policy statement where employees could regularly see it was a\nprudent step and consistent with the notice principle and disclosure framework\nestablished for external web sites.\n\nFinally, we identified a matter we believed warranted further study by the\nCorporation. In short, we found that private sector entities and some federal\nagencies are establishing privacy focal points. At the federal level, these officials\nare distinct from the Privacy Act Officer. We recommended that FDIC examine\nthe need for a corporate official or committee of officials who would serve as a\nfocal point and coordinate the Corporation\xe2\x80\x99s privacy-related activities, many of\nwhich fall outside the parameters of those typically handled by the Privacy Act\nOfficer.\n\nOn May 15, 2000, we received a written response from the General Counsel\naddressing recommendations 1 and 6. On May 17, 2000, the Director, Division\nof Information Resources Management provided a written response to\nrecommendations 2 through 5. Overall, both the General Counsel and Director\nagreed with the findings and recommendations. The responses provided the\nrequisite elements of a management decision for each of the recommendations.\nThe written responses are included in their entirety in Appendix I. Appendix II\n\n\n\n                                          2\n\x0cpresents our assessment of the responses to the recommendations and shows\nthat we have a management decision for each of the recommendations.\n\n\n\nStephen M. Beard\nDirector, Office of Congressional Relations and Evaluations\nOffice of Inspector General\n\n\n\n\n                                       3\n\x0c Table of Contents\n\n\nLetter from the Director                                1\n\nBackground                                              5\n\nObjective, Scope, and Methodology                       9\n\nPrivacy and Security Notices at FDIC.gov                12\n\n\xc3\xbc Applicable Guidance from OMB                          12\n\n\xc3\xbc Content of FDIC\xe2\x80\x99s Privacy Policy Statement\n  Was Generally Consistent with OMB Guidance            13\n\n\xc3\xbc Additional Links Needed to FDIC Privacy               15\n  Policy Statement\n\nPrivacy and Security Notices at FDICnet                 17\n\n\xc3\xbc No Requirement Exists for Employee Privacy\n  Policy Statement, But Experts Favor the Practice      17\n\n\xc3\xbc Succinct Notice of Existing Employee Privacy\n  and Security Policies Needed                          19\n\nFDIC Should Consider Establishing a Corporate Focal\nPoint for Privacy                                       23\n\nCorporation Response and OIG Evaluation                 25\n\nAppendix I: Corporation Comments                        26\n\nAppendix II: Management Response to Recommendations     30\n\nAppendix III: FDIC\xe2\x80\x99s External Web Site Privacy Policy   32\nStatement\n\nAppendix IV: CIO Council\xe2\x80\x99s Proposed Security Notice     34\n\n\n\n\n                                      4\n\x0c    Background\n\n\n\n     Throughout government there is a shared realization that rapid advances in technology,\n     interconnectivity, and expanding usage of the Internet increases the need for and priority\n     on adequate security and privacy measures.\n\n     Chief Information Office Council Fiscal Year 2000 Strategic Plan\n\n\n\n\n    Recent studies have shown that privacy is the number one concern of those\n    using the Internet. Web sites are a powerful tool for providing information on\n    activities, objectives, policies, and programs of federal agencies and privacy has\n    become a critical issue to the development of web sites. With the traditional\n    concerns of government surveillance and use of personal information, federal\n    agencies need to be particularly vigilant in addressing privacy issues. In fact,\n    the Privacy Act of 1974 was intended to balance the government\xe2\x80\x99s need to\n    maintain information about individuals and an individual\xe2\x80\x99s right to be protected\n    against unwarranted invasions, maintenance, use, and disclosure of personal\n    information by federal agencies. However, legislators did not anticipate the\n    advent of the Internet when the Privacy Act was created.\n\n    Accordingly, creating information collection guidelines and standards on the\n    World Wide Web has been a consistent problem for the federal government\n    since its agencies started creating web sites. The Office of Management and\n    Budget (OMB) and General Services Administration (GSA) issued memoranda\n    specifically to address this issue. 1 In 1998, GSA issued a memorandum for\n    Chief Information Officers and Federal Webmasters outlining Top Privacy\n    Principles for Federal Web Sites. GSA\xe2\x80\x99s privacy principles are highlighted on\n    the next page. GSA\xe2\x80\x99s memorandum suggested that a privacy notice is needed\n    for the web site as a whole to cover web site issues such as logs, E-mails to the\n    Webmaster, and other web site issues. The memorandum further stated that\n    the emerging practice is to provide a button on the initial home page which\n    provides a central location for various disclaimers and legal notices.\n\n\n\n\n1\n  OMB has overall responsibility for privacy information and provides guidance on privacy in OMB\nCircular A-130, Management of Federal Information Resources. GSA\xe2\x80\x99s Office of Information\nTechnology issued the memorandum on privacy principles. The Office of Information Technology\nis responsible for promoting the strategic management and effective use of Federal information\ntechnology through collaborative development of governmentwide programs.\n\n\n                                                   5\n\x0c                        Privacy Principles for Federal Web Sites\n\n    1. Place a high priority on protecting the public\xe2\x80\x99s privacy at federal web sites.\n    2. Stay up-to-date on the impact that changes in web site technology have on privacy.\n    3. Notify the public using an appropriate privacy notice whenever you are collecting data\n       on the Internet.\n    4. Use information only for the purpose for which it was gathered as disclosed in the\n       privacy notice.\n    5. Protect privacy for all forms of data (text, graphics, sound, and video).\n    6. Balance the Freedom of Information Act and the Privacy Act of 1974.\n    7. Information obtained to conduct system administration functions must still be protected.\n    8. Involve and coordinate with the agency\xe2\x80\x99s privacy officer when developing applications\n       using the Internet.\n\n    GSA Memorandum Top Privacy Principles for Federal Web Sites\n\n\nIn 1999, OMB issued a memorandum, Privacy Policies on Federal Web Sites, to\nthe Heads of Executive Departments and Agencies directing agencies to post\nclear privacy policies on World Wide Web sites, and provided guidance for doing\nso. A privacy policy is generally a comprehensive disclosure describing the\ngeneral or on-line policies and practices related to the collection and use of\ninformation. These privacy policy statements are designed to ensure that\nindividuals have notice and choice about, and thus confidence in, how their\npersonal information is handled when they use the Internet.\n\nThese privacy policy statements are also designed to accommodate the unique\nnature of web sites that the Privacy Act did not consider. For instance, the\nPrivacy Act requires agencies to provide a Privacy Act notice to each individual\nfrom whom it collects information, which is stored in a system of records, keyed\nto a personal identifier or other identifying symbol assigned to an individual.2\n\nHowever, according to OMB\xe2\x80\x99s memorandum, a large fraction of federal web\npages have not collected significant amounts of identifiable information in ways\nthat entered directly into systems of records covered by the Privacy Act. Mindful\nthat federal agencies must protect an individual\xe2\x80\x99s right to privacy when they\ncollect personal information, OMB is requiring federal web sites to include a\nprivacy policy statement, even if the site does not collect any information that\nresults in creating a Privacy Act record.\n\nIn the private sector, there is no requirement that entities post a privacy policy\nstatement on their web sites, but more firms are voluntarily doing so. In fact,\n1999 studies looking at whether top private sector web sites post privacy\nstatements revealed that most sites have privacy policies posted. In comparison\n\n2\n The Privacy Act requires that agencies provide Privacy Act notices to inform individuals of the\nauthority for the solicitation of information, whether disclosure of the information is mandatory or\nvoluntary, the principle purposes for which the information will be used, the routine uses to be\nmade of the information, and the effects, if any, of not supplying all or part of the information.\n\n\n                                                  6\n\x0cto similar studies done in 1997 and 1998, the private sector showed marked\nimprovement. The 1999 studies also point out that policy statements do not\nalways include all the necessary elements that should be included based on fair\ninformation practices.\n\nFDIC, in cooperation with other federal bank and thrift regulatory agencies, also\nconducted a survey of the Internet privacy policies of insured depository\ninstitutions during May and July 1999. The survey revealed that many\ninstitutions are taking responsible, voluntary strides toward addressing the\npublic\xe2\x80\x99s privacy concerns. However, the survey results also indicated that the\nindustry can and should do more in this area.\n\nPrivacy policy statements address one of the fundamental fair information\npractices \xe2\x80\x93 the principle of notice. The National Information Infrastructure Task\nForce described this principle in 1995.\n\n                                       Notice Principle\n\n  Information users who collect personal information directly from the individual should\n  provide adequate, relevant information about \xe2\x80\x93\n  \xe2\x80\xa2   why they are collecting the information;\n  \xe2\x80\xa2   what the information is expected to be used for;\n  \xe2\x80\xa2   what steps will be taken to protect its confidentiality, integrity, and quality;\n  \xe2\x80\xa2   the consequences of providing or withholding information; and\n  \xe2\x80\xa2   any rights of redress.\n\n  Privacy and the National Information Infrastructure: Principles for Providing and\n  Using Personal Information\n\n\n\n\nAnother aspect of privacy to be considered in light of emerging technology\ninvolves employee privacy. Indeed, GSA\xe2\x80\x99s 1998 memorandum indicated that the\nprivacy rights of employees must also be considered in the development of web\nsites for Intranets. In short, new technologies make it possible for employers to\nmonitor employees\xe2\x80\x99 use of electronic equipment. For instance, more companies\nare beginning to monitor employees\xe2\x80\x99 use of the Internet. Privacy advocates\nacknowledge that employers have a legitimate interest in monitoring work to\nensure efficiency and productivity. Employers also need to ensure that\nemployees act responsibly and use these technologies with care, otherwise\ncomputer security and corporate confidential and proprietary information could be\ncompromised resulting in substantial loss. However, unless employees are\nalerted \xe2\x80\x93 given notice, for example \xe2\x80\x93 to monitoring, it could be considered by\nemployees and the courts to be a violation of employees\xe2\x80\x99 reasonable expectation\nof privacy.\n\n\n\n\n                                                   7\n\x0cIn this context, FDIC must address privacy on three levels:\n\n              \xe2\x80\xa2   as a government agency with a public web site;\n              \xe2\x80\xa2   as a regulator charged, in part, to monitoring how financial\n                  institutions address this issue; and\n              \xe2\x80\xa2   as an employer with an Intranet.\n\n\n\n\n                                         8\n\x0c    Objective, Scope, and Methodology\n\nThis review was one in a series of reviews we plan to conduct on privacy-related\ntopics. The objective of this review was to determine whether the content and\nplacement of web site privacy and security disclosure statements on FDIC\xe2\x80\x99s\nexternal and internal web sites meet applicable privacy and security-related\ndisclosure requirements and concerns, and if not, what action FDIC is taking to\naddress those matters. Consistent with the mission of our office, we undertook\nthis review not only to provide assurance that FDIC\xe2\x80\x99s existing policies and\npractices are consistent with applicable guidance, but also to identify emerging\nissues that may warrant management\xe2\x80\x99s attention.\n\nTo accomplish our objective we:\n\n\xc3\xbc Interviewed officials from the OMB, GSA Office of Governmentwide Policy,\n  and the Chief Information Officers (CIO) Council. 3 Our research indicated\n  that these officials were knowledgeable about governmentwide policies on\n  privacy and security.\n\n\xc3\xbc Researched privacy-related topics on the Internet to yield articles and issue\n  papers relevant to our review.\n\n\xc3\xbc Identified and reviewed the following guidance for federal agencies:\n\n        \xe2\x80\xa2   OMB Memorandum 99-18 Privacy Policies on Federal Web Sites\n            dated June 2,1999,4\n        \xe2\x80\xa2   GSA Memorandum for Chief Information Officers and Federal\n            Webmasters on Top Privacy Principles for Federal Web Sites issued in\n            1998,\n        \xe2\x80\xa2   GSA Office of Governmentwide Policy Memorandum, Model \xe2\x80\x9cLimited\n            Personal Use Policy\xe2\x80\x9d of Government Equipment dated June 7, 1999,\n            and\n        \xe2\x80\xa2   National Information Infrastructure Task Force paper entitled Privacy\n            and the National Information Infrastructure: Principles for Providing and\n            Using Personal Information dated June 6, 1995.\n\n\xc3\xbc Discussed the development of FDIC\xe2\x80\x99s Privacy Policy Statement and General\n  Disclaimer and relevant FDIC policies and procedures with officials in the\n  Division of Information Resources Management (DIRM), Legal Division,\n\n\n3\n  The CIO Council is the principal interagency forum to improve the design, modernization, use,\nsharing, and performance of Information Technology resources.\n4\n  We did not ask FDIC\xe2\x80\x99s Legal Division to formally opine whether FDIC was required to comply\nwith OMB\xe2\x80\x99s memorandum because DIRM officials told us it was their intent to comply regardless\nof its statutory applicability to the Corporation.\n\n\n                                               9\n\x0c   Office of the Executive Secretary (OES), Division of Compliance and\n   Consumer Affairs (DCA), and Office of Corporate Communications.\n\n\xc3\xbc Reviewed relevant FDIC policies, including:\n\n      \xe2\x80\xa2   Circular 1370.3, Use of Electronic Communications, dated August 6,\n          1997,\n      \xe2\x80\xa2   Circular 1351.3, Internet Access and Acceptable Uses, dated\n          September 2, 1994,\n      \xe2\x80\xa2   Circular 1370.4, Publishing FDIC Information Via the Internet and\n          FDICnet, dated August 29, 1997,\n      \xe2\x80\xa2   Circular 1031.1, Privacy Act of 1974: Employee Rights and\n          Responsibilities, dated March 29, 1989, and\n      \xe2\x80\xa2   Circular 1213.1, FDIC Forms Management Program, dated\n          October 20, 1994.\n\n   Our review of FDIC\xe2\x80\x99s policies addressing employees\xe2\x80\x99 use of FDIC\xe2\x80\x99s computer\n   resources was limited to the privacy aspect of those policies.\n\n\xc3\xbc Reviewed FDIC Correspondence Manual Chapter 7, Electronic\n  Correspondence and DIRM\xe2\x80\x99s A User\xe2\x80\x99s Guide to Information Security.\n\n\xc3\xbc Evaluated the placement and content of FDIC\xe2\x80\x99s existing Privacy Policy\n  Statement and General Disclaimer on the external home page based on the\n  relevant guidance on privacy and security notices we identified. Specifically,\n  we:\n      \xe2\x80\xa2 compared the language content of FDIC\xe2\x80\x99s policy to guidance in OMB\n        Memorandum 99-18 and GSA Memorandum on Top Privacy Principles\n        for Federal Web Sites, and\n      \xe2\x80\xa2 systematically reviewed FDIC\xe2\x80\x99s external web pages to test whether the\n        required privacy policy link was located on pages where personal\n        information was collected from the public.\n\n\xc3\xbc Reviewed and evaluated FDIC\xe2\x80\x99s disclaimers and notices posted on FDIC\xe2\x80\x99s\n  Intranet (FDICnet).\n\n\xc3\xbc Sent a survey to 54 FDIC staff members who are designated as Division\n  Internet Coordinators or Webmasters. The intent of our survey was to assess\n  their knowledge of OMB\xe2\x80\x99s guidance for external web privacy policies and\n  FDIC\xe2\x80\x99s Privacy Policy Statement and General Disclaimer. Additionally, we\n  were interested in getting their views on posting a privacy statement for\n  employees. We received responses from 14 of the 54 officials surveyed.\n\n\xc3\xbc Contacted other agencies, primarily federal banking and thrift regulatory\n  agencies, to learn about: Internet privacy policies, Internet security and\n  general disclaimer notices, and whether privacy and security notices were\n\n\n                                      10\n\x0c   visibly posted on their respective Intranets. Our goal in doing so was to\n   identify best practices. Specifically, we reviewed the privacy policies posted\n   on the principle web page for the Office of Comptroller of the Currency\n   (OCC), Board of Governors of the Federal Reserve System (Federal\n   Reserve), Office of Thrift Supervision (OTS), National Credit Union\n   Administration (NCUA), and Department of the Treasury. The Federal\n   Reserve also has a separate disclaimer posted that we reviewed in\n   conjunction with its privacy policy.\n\n\xc3\xbc Interviewed an official at the Department of Justice to discuss the type of\n  notice or banner posted on its internal system and rationale for doing so.\n\n\xc3\xbc Coordinated our review with OIG\xe2\x80\x99s Office of Audit, which was conducting a\n  related review entitled Controls Over Employee Internet Use. The objectives\n  of that review were to determine the adequacy of (1) FDIC\xe2\x80\x99s policies\n  governing Internet use and (2) current procedures and tools used to monitor\n  FDIC employees use of Internet resources.\n\n\xc3\xbc Consulted with the OIG\xe2\x80\x99s Office of Counsel.\n\nDuring our review, OES and the Legal Division reviewed web forms to ensure\nthat the proper Privacy Act notices were on those forms. Accordingly, the scope\nof our review did not include evaluating whether Privacy Act notices were\nincluded where required. However, we did consider the results of their review in\nevaluating issues that we believe may warrant management attention.\n\nWe conducted our review from November 1999 to March 2000 according to the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Quality Standards for\nInspections.\n\n\n\n\n                                        11\n\x0c Privacy and Security Notices at FDIC.gov\n\nFDIC\xe2\x80\x99s Privacy Policy Statement on its World Wide Web page (www.fdic.gov)\nwas substantially consistent with the model language provided in OMB\nMemorandum 99-18 Privacy Policies on Federal Web Sites, and with the content\nof privacy statements of other agencies that we contacted. However, it lacked\nsecurity, intrusion, and detection language that OMB suggested agencies include\nin their privacy policy statements. In addition, we found the Privacy Policy\nStatement was not located on all web pages that collect personal information as\nrequired. A review of web forms done by the Legal Division and OES also found\nthat the required Privacy Act notices were not on all web forms as required.\nFinally, our survey results indicated that awareness of privacy disclosure\nrequirements might have been limited among FDIC Webmasters and Internet\nCoordinators.\n\nApplicable Guidance from OMB\n\nThe intent of a privacy policy statement is to tell visitors to the site how any\ninformation obtained from them, either automatically or voluntarily provided, is\nhandled. As discussed in the background section, OMB\xe2\x80\x99s Memorandum 99-18,\nPrivacy Policies on Federal Web Sites, provides guidance for creating a privacy\npolicy statement. We also learned that the CIO Council was in the process of\ndeveloping guidance to standardize security notices posted on federal web sites.\n\n\n                       OMB\xe2\x80\x99s Privacy Policy Requirements\n\xe2\x80\xa2   Post a privacy policy statement on the principal web sites by September 1, 1999.\n\xe2\x80\xa2   By December 1, 1999, OMB directed agencies to add privacy policies to any other\n    known, major entry points as well as at any web page where substantial personal\n    information from the public is collected.\n\xe2\x80\xa2   Each policy must clearly and concisely inform visitors to the site\n\n                \xc3\xbc what information the agency collects about individuals,\n                \xc3\xbc why the agency collects it, and\n                \xc3\xbc how the agency will use it.\n\xe2\x80\xa2   Privacy policies must be clearly labeled and easily accessed when someone visits a\n    web site.\n\n\nTo assist agencies in reviewing their existing privacy policies or in creating such\na policy, OMB provided guidance and model language for several different\ninformation practices. OMB\xe2\x80\x99s memorandum stated that agencies could use the\nmodel language verbatim, or as a starting point in crafting a policy tailored to\nmeet the agencies\xe2\x80\x99 own requirements. OMB\xe2\x80\x99s memorandum suggested that\nagencies include the following language in their privacy policies:\n\n\n\n                                               12\n\x0cIntroductory language                \xc3\xbc Overview language about privacy practices at the start\n                                       of the policy.\n\nInformation collected and stored     \xc3\xbc The policy should make clear whether or not the\nautomatically                          agency is collecting information automatically or using\n                                       cookies and whether any steps will be taken to collect\n                                       more information.\n\nInformation collected from E-        \xc3\xbc Some statement about how identifiable information is\nmails and web forms                    treated when the individuals provide it through E-mail\n                                       or web forms.\n\nSecurity, intrusion, and detection   \xc3\xbc Some statement about whether the agency uses\nlanguage                               information collected on a site to detect harmful\n                                       intrusions and to take action once an intrusion is\n                                       detected.\n\nSignificant actions where            \xc3\xbc For situations where a Privacy Act notice would be\ninformation may be subject to the      required in the paper-based world, the general\nPrivacy Act                            principle is that the equivalent notice is required in the\n                                       on-line world. Posting of the relevant Privacy Act\n                                       notice on the web page or through a well-marked\n                                       hyperlink would be appropriate.\n\n\n\nContent of FDIC\xe2\x80\x99s Privacy Policy Statement Was Generally Consistent with\nOMB Guidance\n\nFDIC\xe2\x80\x99s Privacy Policy Statement was developed with input from DIRM, the\nInternet Operating Committee, OES, DCA, and the Legal Division. FDIC\xe2\x80\x99s policy\nstatement was developed and posted on the external web site in 1998. Officials\nreviewed the policy statement after OMB\xe2\x80\x99s memorandum was issued in 1999.\nFDIC\xe2\x80\x99s Privacy Policy Statement discloses the Corporation\xe2\x80\x99s information\ngathering and dissemination practices of its web site.\n\nConsistent with OMB\xe2\x80\x99s memorandum, FDIC\xe2\x80\x99s privacy policy describes what\ninformation the agency collects about individuals, why the agency collects the\ninformation, and how the agency will use the information. FDIC\xe2\x80\x99s external web\nsite Privacy Policy Statement is included as Appendix I. Notably, FDIC\xe2\x80\x99s privacy\nstatement includes all of OMB\xe2\x80\x99s suggested model language noted above except\nfor the security, intrusion, and detection language.\n\nFDIC OIG and Legal Division counsel informally opined that the OMB\xe2\x80\x99s guidance\ndoes not require that agencies include all the model language suggested by\nOMB in their respective privacy policies. DIRM officials told us that they\nintentionally did not include security, intrusion, and detection language in the\nprivacy policy because this type of language is not considered to be user-friendly.\nIn addition, they were concerned that this type of language could attract\n\xe2\x80\x9chackers\xe2\x80\x9d. According to DIRM officials, if an entity advertises that it monitors for\nunauthorized attempts to upload information \xe2\x80\x93 hackers are more inclined to try.\n\n\n                                             13\n\x0cHowever, FDIC\xe2\x80\x99s General Disclaimer, also posted on its web site, contains\nsecurity, intrusion, and detection language. Specifically, it states\n\n              \xe2\x80\x9cThis is a protected U.S. government web site. It is unlawful\n              to intentionally cause damage to it or to any FDIC electronic\n              facility or data through the knowing transmission of any\n              program, computer virus, information code, or command.\n              This system and related equipment are subject to\n              monitoring. Information regarding users may be obtained\n              and disclosed to authorized personnel, including law\n              enforcement authorities, for official purposes.\xe2\x80\x9d\n\nThus, FDIC addresses this aspect of the model language, but not as part of its\nprivacy statement. Nonetheless, we raised this issue because we learned that\nthe CIO Council is working on new guidance that will likely require agencies to\npost a separate security notice on World Wide Web sites. An official working on\nthe project told us that the goal of the Council is to standardize the language\nused governmentwide. The language that the CIO Council provided to us is\nincluded in Appendix II. The proposed language is similar to the language\nincluded in FDIC\xe2\x80\x99s General Disclaimer. However, the proposed language\nidentifies the applicable criminal statutes that can be pursued for intentional harm\ncaused to a web site.\n\nWe also found that FDIC\xe2\x80\x99s Privacy Policy Statement language was consistent\nwith that of the other agencies we contacted. Table I shows the five OMB\nlanguage guidance elements and how FDIC\xe2\x80\x99s Privacy Policy Statement\ncompared to the privacy statements of each of the other bank regulation\nagencies during our evaluation.\n\nTable I: Comparison of Agency Privacy Policy Statements\n                                        Federal\n    Notices and Content        OCC      Reserve      OTS    Treasury NCUA         FDIC\nPrivacy Policy on External     \xc3\xbc          \xc3\xbc          \xc3\xbc         \xc3\xbc         \xc3\xbc        \xc3\xbc\nWeb Page\nOther Type of Notice or                                                          General\nDisclaimer Posted             Security Disclaimer Security    None       None   Disclaimer\nIntroductory Language          \xc3\xbc          \xc3\xbc          \xc3\xbc                             \xc3\xbc\nInformation collected and      \xc3\xbc          \xc3\xbc          \xc3\xbc         \xc3\xbc         \xc3\xbc         \xc3\xbc\nstored automatically\nInformation collected from E-  \xc3\xbc          \xc3\xbc          \xc3\xbc         \xc3\xbc         \xc3\xbc         \xc3\xbc\nmails and web forms\nSecurity, intrusion, and                  \xc3\xbc                    \xc3\xbc         \xc3\xbc\ndetection language\nSignificant actions where                                                          \xc3\xbc\ninformation may be subject\nto the Privacy Act\nSource: OCRE analysis of agency privacy policy statements and other notices\n\n\n\n\n                                           14\n\x0cAdditional Links Needed to FDIC Privacy Policy Statement\n\nWhile the content of FDIC\xe2\x80\x99s privacy policy was substantially consistent with\nOMB\xe2\x80\x99s guidance, we found that FDIC\xe2\x80\x99s Privacy Policy Statement was not located\non every web page that collects personal information as required. Specifically,\nfrom FDIC\xe2\x80\x99s Internet home page, we systematically reviewed 61 web pages to\ntest whether there was a link to the Privacy Policy Statement on web pages that\ncollect personally identifiable information. We found FDIC\xe2\x80\x99s privacy policy was\nposted as required in 55 of 61 instances. On the six web pages where the policy\nwas not posted, individuals were required to provide their name, address,\ntelephone number, or E-mail address to receive information. We talked with\nofficials at GSA and OMB knowledgeable about OMB requirements and they\nagreed that these items are generally considered to be personal information.\nAccordingly, they stated FDIC should add links to the Privacy Policy Statement.\n\nWe provided OES with copies of the web pages we identified. OES agreed to\nreview the pages and verify that those pages were indeed required to be linked\nto FDIC\xe2\x80\x99s Privacy Policy Statement. OES also planned to evaluate whether any\nof those pages required a Privacy Act notice because of their ongoing work in\nthat regard. Specifically, officials in the Legal Division and OES recently\nundertook a review of web forms to ensure that Privacy Act notices were posted\nas required. Their review found that some web forms did not include the required\nPrivacy Act notices. Officials told us that the Privacy Act notices were\nsubsequently added to some of the forms identified in their review. The Privacy\nAct Officer was researching the need for a Privacy Act notice for the remaining\nforms identified. The need for a Privacy Act notice is important not only to\ncomply with the Privacy Act, as we explained in the background section, but also\nto ensure that FDIC\xe2\x80\x99s Privacy Policy Statement accurately reflects its practice.\nSpecifically, FDIC\xe2\x80\x99s Privacy Policy Statement tells visitors that Privacy Act\nnotices are posted where required.\n\nWe believed omissions of privacy disclosures could continue to occur unless\nFDIC strengthens procedures to ensure that officials knowledgeable of privacy-\nrelated disclosure requirements review web pages before they are posted. In\naddition, Webmasters and Internet Coordinators must be aware of the need for\nsuch a review. The responses to our survey of Webmasters and Internet\nCoordinators indicated that awareness of privacy disclosure requirements might\nhave been limited. Specifically, 9 of the 14 respondents had reviewed FDIC\xe2\x80\x99s\nPrivacy Policy Statement, and just 2 of the 14 respondents were aware of OMB\xe2\x80\x99s\nguidance.\n\nFDIC had procedures in place covering the review of information before it is\nposted on the web. For instance, FDIC Circular 1213.1, FDIC Forms\nManagement Program states that the OES in coordination with the Document\nManagement Section ensures that forms adhere to specific public reporting\nrequirements, including the Privacy Act. However, we noted that FDIC\xe2\x80\x99s Circular\n\n\n\n                                      15\n\x0c1370.4, Publishing FDIC Information Via the Internet and FDICnet, does not\nspecifically address the need to consider Privacy Act requirements or the\nexternal Privacy Policy Statement. Further, an OES official told us that officials\nknowledgeable about privacy-related disclosures did not always review web\npages before they were published on the Internet.\n\nCertainly, FDIC deserves credit for its efforts to date in developing and posting a\nprivacy policy on its external web site. However, FDIC needed to take additional\naction to ensure that its fully complies with new mandates and that its privacy\npolicy accurately reflects its practices. We believed this was important not simply\nto comply with requirements, but to help ensure the Corporation effectively deals\nwith the number one concern of those using the Internet \xe2\x80\x93 privacy. Additionally,\nand perhaps more importantly, FDIC could lead by example in dealing with an\nissue that it is requiring financial institutions to address. Accordingly, we\nrecommended that:\n\nFDIC\xe2\x80\x99s General Counsel should have FDIC\xe2\x80\x99s Office of Executive Secretary:\n\n1. Complete its review of web pages we identified and add any necessary links\n   to the Privacy Policy Statement and any required Privacy Act notices.\n\nThe Director, DIRM, should have the Chief, Internet Publication Section:\n\n2. Contact the CIO Council and review the proposed security notice language\n   and determine how the Corporation will respond to the pending guidance from\n   the CIO Council.\n\n3. Develop guidance for Internet Coordinators and Webmasters and ensure\n   through training or other means deemed appropriate that they are aware of\n   privacy-related disclosure requirements of OMB Memorandum 99-18 and the\n   Privacy Act. As appropriate, existing procedures for reviewing information\n   posted on FDIC\xe2\x80\x99s Internet web site should be modified to reflect guidance\n   developed.\n\nTo the extent necessary, the Chief, Internet Publication Section should work in\nconsultation with OES and the Legal Division to address these\nrecommendations.\n\n\n\n\n                                        16\n\x0c Privacy and Security Notices at FDICnet\n\nAt the time of our review, there was not a requirement to post a privacy policy\nstatement for employees on Intranets. However, privacy experts believe the\npractice of posting a policy statement (i.e., notice or banner) on internal systems\nis advisable. Furthermore, we learned that some other agencies have such\nnotices posted on internal home pages, E-mail screens, or log-in screens. We\nrealized that FDIC had various policies addressing this issue. Nevertheless,\nwithout a visible banner or link to a succinct policy statement there was a risk that\nemployees might not be sufficiently mindful of FDIC\xe2\x80\x99s policies. The presence of\na banner reduces that risk by serving to remind employees of pertinent FDIC\npolicies. FDIC officials told us they were in favor of adding a banner or notice.\nWe believed this was a prudent action.\n\nNo Requirement Exists for Employee Privacy Policy Statement, but Experts\nFavor the Practice\n\nNone of the external officials we interviewed were aware of any specific guidance\nrequiring that privacy policies be posted for employees on Intranets. Officials at\nOMB and the CIO Council told us these issues have been discussed, but up to\nnow, the focus has been on developing guidance for external federal web sites.\nNonetheless, an official from the CIO Council told us that the security notice\nbeing developed for external web sites that we previously discussed could be\nused on internal systems as well.\n\nAccording to articles written on the subject, posting a visible banner or notice on\ninternal systems is an advisable practice. This practice was recommended in\naddition to having policies in employee manuals. The reason for posting this\ntype of banner is to remind employees about the policies for the use of electronic\nequipment as well as the policies for monitoring such use. Similar to an external\nprivacy policy, the intent of this type of notice is to assist employees in\nunderstanding the employer\xe2\x80\x99s data collection and information handling practices.\nIt can also be used to remind employees about the appropriate use of electronic\nresources and employee security responsibilities. Applying the standards for\nexternal policy statements, the notice should be clearly labeled and easily\naccessed.\n\nCourts will look at an employer\xe2\x80\x99s policies in determining whether employees have\na reasonable expectation of privacy in their electronic communications. For\nexample, according to an article written on the subject, violations of employee\nexpectations of privacy whether by accessing a top desk drawer, reading files on\na desk, or reading E-mail have similar consequences. If not done within the\nexpected norms, employers risk expensive litigation and diminished employee\nmorale. FDIC believes its policies provide adequate notice of Internet monitoring\nprocedures such that employees cannot have an objective expectation of\n\n\n                                         17\n\x0cprivacy. Nevertheless, additional reminders regarding the written procedures\nwould further enhance the FDIC\xe2\x80\x99s position.\n\nGuidance developed by the Electronic Messaging Association for use in\ndeveloping an E-mail monitoring policy is highlighted below. We found this\nguidance to be a good summary of what other experts suggest and believe it can\nbe useful in developing policies for employee use of the Internet and other\nelectronic equipment resources. Notably, one of the suggested practices is to\npost a notice when employees log on to the computer network.\n\n\n                                     Policy Guidance\n\n1. Develop or extend corporate policies to address employee privacy expectations.\n\n2. Determine the extent of any current monitoring and limit monitoring to \xe2\x80\x9cwork related\xe2\x80\x9d and\n   supervisory activities. State extent of monitoring in policy.\n\n3. Educate and periodically remind employees and management of policy.\n\n4. Post a notice when employees log onto the computer network and require an affirmative\n   acknowledgement by having the employees indicate that they have read the screen before\n   moving on. The notice should state clearly that the system and e-mail are not private and\n   will be audited and the parameters of employee use. It should also state on-line etiquette\n   for using the network and company resources.\n\n5. Address back-up and retention of stored mail.\n\n6. Set forth how any accessed information will be used.\n\nElectronic Messaging Association\n\n\n\nIn addition to expert opinion, two agencies we contacted had notices or visible\nlinks to their policy statements on their internal systems. Specifically, we were\ntold that the Federal Reserve\xe2\x80\x99s Internet and Automated Systems: Appropriate-\nUse and Privacy Policy periodically appears on employees\xe2\x80\x99 screens. Employees\nmust click a button to acknowledge that they have read the policy statement. We\nwere also told that the Department of the Treasury\xe2\x80\x99s internal home page has a\nvisible link to its Internet use policy. When using E-mail, employees see a\nbanner appear on the screen that states E-mail should not be considered private.\n\nAn official at the Department of Justice (DOJ) stated it had a banner on the\nsystem log-in screen. The banner essentially tells DOJ employees that they\nshould have no expectation of privacy and that the use of E-mail and Internet\ncould be monitored. Employees are required to click a button to acknowledge\nthe terms of the notice. According to this official, putting this notice up-front\nmakes the most sense. The OIG\xe2\x80\x99s Office of Audit also found in its review of\nControls Over Employee Internet Use that posting a notice or banner\n\n\n                                              18\n\x0ccommunicating the Corporation\xe2\x80\x99s monitoring policy was done at other agencies\nand determined it to be a best practice.\n\nSuccinct Notice of Existing Employee Privacy and Security Policies Needed\n\nFDIC had a notice posted on the FDICnet home page that is highlighted below.\nHowever, this notice did not address employee use of the Internet or Intranet,\nprivacy, or warn that only authorized users should access the system. We did\nnot see any other notice, banner, or visible link to a privacy policy for employees\nposted on the FDICnet home page.\n\n\n                         FDICnet Home Page Notice\n         \xe2\x80\x9cFDICnet is the Intranet for the FDIC. This network provides a\n         secure location for posting information for the FDIC. Internal\n         Resources are accessible through FDICnet. There are also links to\n         external sites on the World Wide Web (WWW) to aid research.\n         Information posted here cannot be accessed by users of the\n         Internet. Links to sites outside of FDICnet do not imply\n         endorsement by the FDIC. The FDIC cannot guarantee the validity\n         of any site on the WWW. \xe2\x80\x9c\n\n\n\n\nWe also reviewed the notices posted on the FDICnet division and office home\npages. We found that only a few home pages had notices. Generally, the\nnotices were similar to the notice posted on the FDICnet home page except for\nthe Legal Division\xe2\x80\x99s home page. That home page notice advised employees that\ninformation and documents presented on the Intranet contained information for\ninternal use of FDIC personnel only. Further, the Legal Division notice states\nthat none of the materials should be distributed to the general public without\nproper approval.\n\nIn addition, FDIC\xe2\x80\x99s General Disclaimer posted on the external web site\n(www.fdic.gov) states that the terms \xe2\x80\x9cextend to the FDIC, its directors, officers,\nand employees\xe2\x80\x9d. In addition to providing a security warning as discussed earlier\nin the report, it also provides general notice that the FDIC\xe2\x80\x99s system is subject to\nmonitoring. Employees may occasionally access FDIC\xe2\x80\x99s external web site\nthrough the FDICnet home page, but it is not likely they routinely do so.\nMoreover, there is nothing visible on the FDICnet home page to direct or link\nemployees to the General Disclaimer. Thus, employees might not be sufficiently\nmindful that the policy statement in the General Disclaimer is applicable to them.\n\nFDIC also had several policies that address employee privacy with regard to\nE-mail, use of the Internet and Intranet, and security issues. Employees can\naccess these policies through the FDICnet. Table II summarizes key aspects of\n\n\n\n                                            19\n\x0cthese policies relative to employee privacy and employee responsibilities with\nrespect to security.\n\nTable II: Privacy and Security Policy Statements Relative to Employees\n           Policy                            Policy Excerpts\n Circular 1370.3 Use of         \xc3\xbc The Corporation cannot guarantee that electronic\n Electronic Communications        communications will be private.\n\n                                \xc3\xbc It is the policy of FDIC not to regularly monitor the content to\n                                  electronic communication. However, the content of electronic\n                                  communications and the usage of electronic communications\n                                  will be monitored for the performance of operation,\n                                  maintenance, auditing, security, or investigative functions.\n                                  Electronic communications statistical data will continue to be\n                                  collected on a routine basis.\n\n                                \xc3\xbc Monitoring may also be necessary in order to comply with legal\n                                  requirements that FDIC records be examined or produced, such\n                                  as those of the Freedom of Information Act, court rules or court\n                                  orders. Emergencies of internal security concerns reasonably\n                                  necessitate such monitoring.\n\n                                \xc3\xbc Use of the FDIC\xe2\x80\x99s electronic communications systems\n                                  constitutes the user\xe2\x80\x99s consent to this policy.\n Circular 1351.3, Internet      \xc3\xbc E-mail is not private communication, since others may be able\n Access and Acceptable Uses       to read or access it.\n\n                                \xc3\xbc Employees are required to be aware of computer security and\n                                  privacy concerns and to guard against computer viruses and\n                                  security breaches of any kind.\n\n                                \xc3\xbc Employees should not send any sensitive information without\n                                  prior approval from the appropriate managers, data stewards,\n                                  and DIRM\xe2\x80\x99s Security Administration Section. Be aware that\n                                  Internet E-mail is not a secure communication channel.\n FDIC\xe2\x80\x99s A User Guide to         \xc3\xbc All information sent and received through the Internet should be\n Information Security             considered vulnerable as it can be read and even manipulated\n                                  by others. Do not send sensitive information over the Internet\n                                  as it may compromise the security of the Corporation.\n FDIC Correspondence            \xc3\xbc Employees should not put anything in an E-mail message that\n Manual chapter on Electronic     they would not want anyone other than the intended recipient to\n Correspondence                   see. For example, the manual points out that employees\n                                  should not provide credit card numbers or other confidential\n                                  information that could wind up in the wrong hands.\n\n                              \xc3\xbc At times it may be necessary to intercept, monitor, disclose, or\n                                  assist in intercepting or disclosing electronic communications.\n                                  While the Corporation is committed to respecting the privacy of\n                                  its employees consistent with applicable law, regulation, and\n                                  policy, be aware that electronic communications can be\n                                  forwarded, printed, and stored by others.\nSource: OIG Analysis of FDIC policies\n\n\n\n\n                                              20\n\x0cConsistent with the notice principle and the framework for privacy policy\nstatements for external web sites, these policies informed employees about:\n\n       \xe2\x80\xa2   The information the agency collects about the individuals,\n       \xe2\x80\xa2   Why the agency collects the information, and\n       \xe2\x80\xa2   How the information will be used.\n\nHowever, it could be argued that these policies were not readily apparent to\nemployees unless they searched through FDIC\xe2\x80\x99s directive system.\n\nAlthough we understood the importance of established policies, we believed\nmore could be done to ensure employees are mindful of the policies. Generally,\nFDIC officials we interviewed agreed. An official from DIRM\xe2\x80\x99s Information\nSecurity Staff stated that it was important that all users be made aware of their\nrights and the Corporation\xe2\x80\x99s responsibilities regarding privacy issues. In addition,\n57 percent of Internet Coordinators and Webmasters that responded to our\nsurvey favored the idea of posting a privacy policy statement on the FDICnet.\n\nWe did not evaluate the content of these FDIC\xe2\x80\x99s policies other than to see how\nemployee privacy was addressed. However, these policies were evaluated as\npart of the OIG\xe2\x80\x99s review of Controls Over Employee Internet Use. The results of\nthat review suggested that FDIC should strengthen its policy with respect to the\nuse of electronic equipment. Accordingly, in conjunction with the findings of that\nreview, we believed FDIC may want to review GSA\xe2\x80\x99s Office of Governmentwide\nPolicy Memorandum, Model \xe2\x80\x9cLimited Personal Use Policy\xe2\x80\x9d of Government\nEquipment dated June 7, 1999. This memorandum provides guidance to assist\nagencies or departments in defining acceptable use conditions for employees\npersonal use of Government office equipment, including information technology.\nWith regard to privacy, GSA\xe2\x80\x99s model policy suggests that \xe2\x80\x9cExecutive Branch\nemployees do not have a right, nor should they have an expectation, of privacy,\nwhile using any Government office equipment at any time, including accessing\nthe Internet, [sic] using E-mail.\n\n\xe2\x80\x9cAny use of government communications resources is made with the\nunderstanding that such use is generally not secure, is not private, and is not\nanonymous.\xe2\x80\x9d\n\nIn summary, although a privacy policy notice was not required for internal\nsystems at the time of our review, we believed FDIC needed to add a visible\nnotice of the Corporation\xe2\x80\x99s privacy and security policies directed to employees.\nConsistent with their desire to be leaders in evolving technology-based privacy\nissues, DIRM officials agreed with the concept. Based on discussions with\n\n\n\n\n                                        21\n\x0cofficials in DIRM, we believed this banner or notice should appear on the FDIC\nlog-in screen. Accordingly, we recommended that:\n\n\nThe Director, DIRM should have the Chief, Information Security Section:\n\n4. Develop a notice for FDIC\xe2\x80\x99s internal network addressing employee privacy.\n\nOnce developed, the Director, DIRM should have the Assistant Director,\nOperations Branch:\n\n5. Visibly post the notice developed by the Chief, Information Security Section\n   on FDIC\xe2\x80\x99s internal network.\n\nTo address various privacy interests and security concerns with respect to\nemployee use of computer resources, we believed DIRM officials should consult\nwith the Legal Division in developing appropriate language to include in the\nnotice or policy statement. We suggested the Corporation consider the following\npoints in developing the language for the banner:\n\n      \xe2\x80\xa2   Consistent with the framework for the external policy, the banner\n          should tell employees the type of information the agency collects about\n          the individuals, why the agency collects the information, and how the\n          information will be used and include appropriate security language.\n          The banner should also be clearly visible and easily accessed.\n\n      \xe2\x80\xa2   The banner should clearly define for employees the level of privacy to\n          be expected when using the Corporation\xe2\x80\x99s resources.\n\nFinally, because employee privacy is directly impacted by any changes to the\nCorporation\xe2\x80\x99s current policies being contemplated as a result of OIG\xe2\x80\x99s review of\nControls Over Employee Internet Use, our recommendation should be\nconsidered in conjunction with the results of that review.\n\n\n\n\n                                       22\n\x0c FDIC Should Consider Establishing a Corporate Focal Point for Privacy\n\nAs we point out in the background section of the report, privacy is the number\none concern of those using the Internet. Privacy policies have emerged as a\ncommon vehicle that government agencies and the private sector have\ndeveloped to address privacy concerns of those using the Internet. This was the\nfocus of this review. However, another matter came to our attention that we\nbelieved warranted further consideration. Specifically, in conducting this review,\nit became apparent that FDIC did not have a focal point to address privacy\nissues outside the realm of the Privacy Act Officer. We believed it was important\nto raise this issue because privacy has been and continues to be of significant\nconcern to the public and the Congress.\n\nFor example, in the context of this review, no one division, office, or official was\nresponsible for developing or implementing FDIC\xe2\x80\x99s external Web site Privacy\nPolicy Statement. As we discussed earlier in the report, at FDIC, a team\nconsisting of officials from DIRM, DCA, and the Legal Division developed FDIC\xe2\x80\x99s\nPrivacy Policy Statement. This approach was appropriate; in fact, we found it\nwas a recommended approach for developing such a policy. However, during\nthe review, as issues emerged with respect to interpretation of OMB guidance\nand implementation of FDIC\xe2\x80\x99s Privacy Policy Statement, there was some degree\nof confusion among officials in determining the appropriate boundaries of\nresponsibility. Given the current visibility and scrutiny privacy policies are\nreceiving, we believed it was important for the Corporation to have a focal point\nto address this issue as well as other privacy-related issues that do not fit under\nthe umbrella of the Privacy Act.\n\nIn this vein, we believed ongoing changes in technology would cause new issues\nand new expectations to arise regarding privacy. According to FDIC\xe2\x80\x99s\nInformation Technology Strategic Plan, FDIC\xe2\x80\x99s strategy is to expand the use of\nthe Internet and Intranet for both internal and external communication and\ntransaction processing. Not only are Internet privacy issues emerging daily, but\nemployee privacy issues are also on the rise because of technology. In addition,\nFDIC must also ensure that privacy issues are considered in the development of\nnew systems, a role now fulfilled in part by the Privacy Act Officer.\n\nMoreover, privacy issues extend beyond the context of the Internet, FDICnet,\nand systems development at FDIC. As a regulatory agency, FDIC must be\nsensitive to financial privacy concerns of consumers. Under the newly enacted\nGramm-Leach-Bliley Act, FDIC was part of a team of regulators that developed a\nrule that, in part, will require financial institutions to provide notice to customers\nabout its privacy policies and practices. Going forward, FDIC will be responsible\nfor regulating institutions\xe2\x80\x99 implementation of the final rule with regard to privacy\npolicies and practices. We believed FDIC needed to ensure that the implications\nof this legislation and rule are understood corporate-wide.\n\n\n                                         23\n\x0cThe growing impact of privacy concerns on organizations is not unique to FDIC.\nIn the private sector, some of the largest banks are appointing corporate privacy\nofficers. The intent of doing so is to give privacy visibility and send a message\nthat privacy is considered an important area of concern to be addressed. We\nalso learned that some federal agencies, including the Internal Revenue Service\nand the Department of Health and Human Services, have appointed Privacy\nAdvocates, whose primary responsibility is to oversee their agency\xe2\x80\x99s compliance\nwith privacy laws and to participate in the development of privacy policies. In\nboth organizations, these Privacy Advocates are senior level officials distinct\nfrom Privacy Act Officers. More specifically, these officials are responsible for\nsuch things as:\n\n   \xe2\x80\xa2   consulting on proposals for new data systems, for programs requiring new\n       collections of data, and for regulatory and legislative actions necessitating\n       data collection, and providing advice on the implications of personal\n       privacy;\n\n   \xe2\x80\xa2   conducting or commissioning research and technical studies on disclosure\n       policies;\n\n   \xe2\x80\xa2   focusing on issues of use and disclosure of personal information for other\n       agencies of government, as well as privacy and consumer advocacy\n       organizations, and private-sector organizations that use personal data;\n       and\n\n   \xe2\x80\xa2   training employees on privacy issues and policies, including the\n       seriousness of non-compliance.\n\nCertainly, the concern for privacy is heightened by the nature of the information\nhandled by these agencies. However, we believed the concept of a focal point\nfor privacy, such as these Privacy Advocates, should be studied further by FDIC\nmanagement. Accordingly, we recommended that:\n\nThe Chief Operating Officer, Chief Financial Officer, and General Counsel:\n\n6. Form a working group to study, and prepare a report on, the need for\n   establishing a focal point in the Corporation for privacy issues. This focal\n   point could either be a senior-level official or a committee of senior-level\n   officials that would:\n\n   \xe2\x80\xa2   promote privacy awareness throughout the Corporation,\n   \xe2\x80\xa2   provide consultation and technical expertise on incorporating privacy\n       principles into data systems and business activities, and\n   \xe2\x80\xa2   be a point of contact and source of information on privacy issues as they\n       relate to the Corporation\'s bank regulatory oversight responsibilities.\n\n                                        24\n\x0cWe suggested that the working group consist of representatives of divisions most\nimpacted by privacy issues, regulations, and legislation. The resulting report\ncould be presented to the Operating Committee or Chairman\'s Working Group,\nwhichever is deemed to be the most appropriate based on the nature of the issue\nand outcome of the study.\n\n\n Corporation Response and OIG Evaluation\n\nWe received written responses to our draft report from the General Counsel and\nDirector, DIRM. Specifically, on May 15, 2000, we received a response from the\nGeneral Counsel addressing recommendations 1 and 6. On May 17, 2000, the\nDirector, DIRM provided a response to recommendations 2 through 5. Overall,\nboth the Legal Division and DIRM agreed with the report\xe2\x80\x99s findings and\nrecommendations. The responses provided the requisite elements of a\nmanagement decision for each of the recommendations. Management\xe2\x80\x99s written\nresponses are included in their entirety in Appendix I.\n\n\n\n\n                                      25\n\x0cAppendix I\n\n             Corporation Comments\n\n\n\n\n                      26\n\x0cAppendix I\n\n             Corporation Comments\n\n\n\n\n                      27\n\x0cAppendix I\n\n             Corporation Comments\n\n\n\n\n                      28\n\x0cAppendix I\n\n             Corporation Comments\n\n\n\n\n                      29\n\x0cAppendix II\n\nManagement Response to Recommendations\n\nThis table presents management responses to recommendations in our report and the status of management decisions.\nManagement\'s written response to our report provided the information for management decisions.\n\n\n\n                                                                Expected    Documentation That\n Rec.                                                          Completion    Will Confirm Final        Monetary       Management\nNumber        Corrective Action: Taken or Planned                 Date             Action              Benefits    Decision: Yes or No\n   1      The Office of Executive Secretary completed its     Completed     Memorandum from            No         Yes\n          review of web pages that were identified by the                   OES describing\n          OIG as potentially lacking necessary links to                     results of their review.\n          the Privacy Policy Statement and/or Privacy Act\n          notices.\n   2      Division of Information Resources Management        06/30/00      Copy of security           No         Yes\n          (DIRM) Internet Publication Section (IPS) has                     notice posted on\n          reviewed the Chief Information Officers                           FDIC\xe2\x80\x99s Internet web\n          Council\xe2\x80\x99s proposed security notice and will                       site.\n          implement a security notice on FDIC\xe2\x80\x99s Internet\n          web site.\n   3      IPS will develop guidance for Internet              11/30/00      Guidance issued to         No         Yes\n          Coordinators and Webmasters to ensure                             Webmasters and\n          awareness of privacy-related disclosure                           Internet Coordinators\n          requirements. In addition, existing procedures                    and modified\n          for reviewing information posted on FDIC\xe2\x80\x99s                        procedures.\n          Internet web site will be modified to reflect the\n          guidance developed.\n\n\n\n\n                                                                     30\n\x0c4   DIRM\xe2\x80\x99s Information Security Section will             07/31/00    Privacy statement        No   Yes\n    develop a privacy statement in conjunction with                  developed by DIRM\n    the Legal Division and provide that statement to                 and Legal Division.\n    DIRM\xe2\x80\x99s Technical Infrastructure staff to post on\n    the internal system.\n5   DIRM\xe2\x80\x99s Technical Infrastructure staff will visibly   10/31/00    Copy of privacy notice   No   Yes\n    post the privacy statement on FDIC\xe2\x80\x99s internal                    posted on FDIC\xe2\x80\x99s\n    network after a 1-month pilot implementation.                    internal network.\n6   A working group will be formed to study and          06/15/00    Memorandum               No   Yes\n    prepare a report on the need for establishing a                  documenting\n    corporate focal point for privacy issues.                        formation of working\n                                                                     group.\n\n\n\n\n                                                                31\n\x0c Appendix III\n\n                FDIC\xe2\x80\x99s External Web Site Privacy Policy Statement\nThe FDIC is strongly committed to maintaining the privacy of your personal information. The\nfollowing discloses our information gathering and dissemination practices for this site. The\ninformation the FDIC receives depends upon your actions when visiting the Corporation\xe2\x80\x99s web\nsite.\n\nInformation Collected About Your Visit to the Web Site\nThe FDIC automatically collects and stores the following information about you when you visit our\nWeb site:\n\n    \xe2\x80\xa2   The date and time the request was received.\n    \xe2\x80\xa2   Your Internet Protocol (IP) address, or the proxy address of your Internet Service\n        Provider (e.g. AOL, CompuServe, and so on).\n    \xe2\x80\xa2   The name and IP address of the FDIC server that received and logged the request.\n    \xe2\x80\xa2   The resource on an FDIC server accessed as a result of the request, such as the Web\n        page, image, and so on.\n    \xe2\x80\xa2   The query in the request. This field captures any criteria or parameters issued with a\n        query, such as a bank name or insurance certificate number.\n    \xe2\x80\xa2   The name and version of the your Web browser (e.g. Netscape 4.0).\n    \xe2\x80\xa2   The content of any sent or received cookie.\n    \xe2\x80\xa2   The Uniform Resource Locator (URL) that was accessed before the user made a request\n        for FDIC\xe2\x80\x99s Web server. The URL may be an outside address that is not related to the\n        FDIC server.\n    \xe2\x80\xa2   Other status codes and values resulting from the Web server responding to the request\n        received: HTTP status code, Windows NT code, number of bytes sent, number of bytes\n        received, duration (in seconds) to fulfill the request, server port number addressed, and\n        protocol version.\n\nSome parts of the FDIC Web site may use a "cookie", which is a file placed on your computer\nhard drive, that allows the FDIC web server to log the pages you use in the FDIC site and to\ndetermine if you have visited the site before. The cookie captures no personally identifying\ninformation. The FDIC server uses this information to provide certain features during your visit to\nthe Web site. You can set your browser to warn you when placement of a cookie is requested,\nand decide whether or not to accept it. By rejecting a cookie some of the features available on the\nsite may not function properly.\n\nOther than the automatic data collection described above, this site collects no personally\nidentifying information. The sole exception is when you knowingly and voluntarily provide\ninformation, such as when you fill in your name and address on the FOIA request form.\n\nThe FDIC uses the information we collect for internal system administrative purposes to measure\nthe volume of requests for specific web site pages, and to continually improve the FDIC Internet\nsite to be responsive to the needs of users. Your choice to use the FDIC Web site or to send\nelectronic mail to FDIC will be considered your consent for the FDIC to use the information\ncollected therefrom as stated in this notice.\n\n\n\n\n                                                32\n\x0c Appendix IV\n\n\nInformation Collected From You\nYou may decide to send the FDIC information, including personally identifying information. The\ninformation you supply \xe2\x80\x93 whether through a secure Web form, a standard Web form, or by\nsending an electronic mail message \xe2\x80\x93 is maintained by the FDIC for the purpose of processing\nyour request or inquiry. The FDIC also uses the information you supply in other ways to further\nthe FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s banking system.\n\nVarious employees of the FDIC may see the information you submit in the course of their official\nduties. The information may also be shared by the FDIC with third parties to advance the purpose\nfor which you provide the information, including other federal or state government agencies. For\nexample, if you file a complaint, it may be sent to a financial institution for action, or information\nmay be supplied to the Department of Justice in the event it appears that federal criminal statutes\nhave been violated by an entity you are reporting to the FDIC. The primary use of personally\nidentifying information will be to enable the government to contact you in the event we have\nquestions regarding the information you have reported.\n\nUnder certain circumstances, the FDIC may be required by law to disclose information you submit\nto the Corporation, for example, to respond to a Congressional inquiry or subpoena.\n\nIf you register with an FDIC online mailing list, the information you provide may also be used to\nsend you FDIC communiqu\xc3\xa9s or notify you about updates to our web site.\n\nWhen you choose to send e-mail to the FDIC you are consenting to the FDIC using the\ninformation provided therein, including personally identifying information, in accordance with this\nnotice, unless you expressly state in the e-mail your objection to any use(s).\n\nAs required by federal law, Privacy Act statements are located throughout this web site where the\nFDIC requests information from you.\n\nContacting the FDIC About This Web Site\nIf you are concerned about how information about you may have been used in connection with\nthis web site, or you have questions about the FDIC\xe2\x80\x99s privacy policy and information practices\nyou should contact:\n    FDIC Webmaster\n    FDIC\n    550 17th Street, N.W.\n    Washington, DC 20429\n\n    E-mail: webmaster@fdic.gov\nElectronic mail is not necessarily secure. You should be very cautious when sending electronic\nmail containing sensitive, confidential information. As an alternative, you should give\nconsideration to sending it by postal mail.\n\n\n\n\n                                                 33\n\x0c Appendix II\n\n\n                   CIO Council\xe2\x80\x99s Proposed Security Notice\n\n\nThis web site is part of a Federal computer system used to accomplish Federal\nfunctions. The [Agency name] uses software programs to monitor this web site\nfor security purposes to ensure it remains available to all users and to protect\ninformation in the system. By accessing this web site, you are expressly\nconsenting to these monitoring activities.\n\nUnauthorized attempts to defeat or circumvent security features, to use the\nsystem for other than intended purposes, to deny service to authorized users, to\naccess, obtain, alter, damage, or destroy information, or otherwise to interfere\nwith the system or its operation is prohibited. Evidence of such acts may be\ndisclosed to law enforcement authorities and result in criminal prosecution under\nthe Computer Fraud and Abuse Act of 1986 and the National Information\nInfrastructure Protection Act of 1996, codified at section 1030 of Title 18 of the\nUnited States Code, or other applicable criminal laws.\n\n\n\n\n                                        34\n\x0c'